Archived ⇒ index replaced?

All of a sudden my site said:

Please reinstall PHP-Nuke because a error has occured in your MySql Database!

on all pages.

After a little digging I found that someone had edited or replaced my index.php page with this one:

<html> <head> <title>PHP NUKE ERROR!</title> </head> <body> Please reinstall PHP-Nuke because a error has occured in your MySql Database! </body> </html>

Replacing my old index fixed the problem, but I'm not sure how I was hacked, or how to prevent it in the future.

Needs to have fisically or ftp access to the server. But i gess is ftp access becouse if he can fisically access the server he can do more then replace a file.

You can never be sure if it was a rootkit, a virus or simply a netspoof that stole your access (and be gratefull that you still have it along with most of your data).

• Change all your current passwords for sure.
  
• Search thru database for additional super users.
  
• Check/reset files/dirs' attributes/rights.
  
• Then remove all modules, update and compile new kernel with only needed ones included in it.
  Make sure you compile only what you will use, because adding unused ones like IPv6 (bet many of you forgot to make iptables rules for it) increases potential holes in your system.
  
• Backup (and recheck) all essential configs then reinstall all network related packages.
  
• Finally make sure there are no suspicious network connections and parasite processes loaded.

Ofcourse get latest versions for all of the software you're using.
Do all this, after you clean sweap suspicious processes/software and set firewall to allow only connections from your IP.

If you want to go the easy way (usually faster one) - backup your existing database and important files then format and install latest version of choosen OS & Nuke...

Better do this quickly, while you still can. You don't know that guy what kind of sick joke may attempt to make next time he gains access. Such warnings must be taken seriously, as your ignorance may further provoke hackers.

If you're so curious what exactly hit you - keep (and later analyse) all logs left behind before reinstalling.

all of which is assuming s/he runs his/her own server.

Wow just learned the importance of removing the install.php file I believe. Someone replaced my index.php with one of those great messages about my site being hacked by some childish imature moron but I have to say CPG-Nuke handled it much better than PHP-Nuke as on 2 of my 20 sites or so the hacked and the php-nuke they deleted every file on the server so that will take a little longer to fix as I have to re-upload all the files but the databases are still intact. Guess that site will also be migrating to CPG nuke now on that one.

You would think these sites someone would have better things to do as one was simply a small Boyscout troops site at troop77id.com and the other is a Boycott Amazon.com site at no-amazon.com neither of them are for profit these morons need to find a better thing to do with their time and abilities like hack someones site someone might notice like Amazon.com.

Hi,
My site was hacked but not sure how it was done.
It was done the same as the others, being all my files named
index were overwritten with some other crap about Islam.
This is what was written to every index page of my site...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>HACKED BY XORON</title> <style type="text/css"> <!-- .style1 { font-family: "TRebuchet MS"; font-weight: bold; font-size: xx-large; } .style2 {font-size: small} body,td,th { color: #FF0000; } body { background-color: #000000; } .style3 {color: #FFFFFF} .style5 {color: #00CCFF} --> </style> </head> <body> <p align="center" class="style1">HACKED <span class="style3">BY</span> XORON<br /> <span class="style2">Turkis<span class="style3">H</span>ackeR </span><br /> <img src="http://img505.imageshack.us/img505/4761/bayrakaw6.gif" width="498" height="294" border="0" /></p> <p align="center" class="style1"><span class="style3">for</span> PALESTiNE - <span class="style3">for</span> iSLAM</p> <p align="center" class="style1">iSRAİL <span class="style3">Allah belanızı versin.Mekanınız</span> cehennem <span class="style3">ola</span>!</p> <p align="center" class="style1">server rooot:)</p> <p align="center" class="style1">uid=0(root) gid=0(root) </p> </body> </html>

I was running the DF Teamspeak module\block & I was also running a player tracker block (using xml). I think they may have gained access through one of those but I don't know. Has anyone got a script that can run with the site & catch these childish hackers in the act & prevent\ban them???
Thanks for any & all help or input.

t4dog wrote

I was running the DF Teamspeak module\block & I was also running a player tracker block (using xml). I think they may have gained access through one of those but I don't know.

As the author of Teamspeakdisplay for Dragonfly (which is the module I presume you're referring to), I'd be curious as to why you came to that conclusion. It has no file write capability whatsoever.

As a general rule, most site hacks involving Dragonfly have been a result of site misconfiguration or other issues outside of the Dragonfly framework. Speculating that Dragonfly or a particular module is to blame without providing some detailed analysis is liable to... offend... the authors involved.

There is a huge difference between saying "My site was hacked in such-and-such a way. I'm running Dragonfly CMS 9.0.6.1, with the additional modules such-and-such version so-and-so" and saying "I have no reasonable basis, but I think these modules are to blame for my site being hacked".

I'm not aware of any way that Teamspeakdisplay for Dragonfly could be involved in your problem with your site. Like any other DF team member and module author, I take intense interest in security issues, and of course want to make sure the code I contribute is as bullet-proof as possible.

Without additional forensics, there's not much we can do to assist you, unless someone happens to be familiar with this particular hacker's M.O.